From 11a3b6218a47b1f69373e156cedab928417b51a9 Mon Sep 17 00:00:00 2001
From: Jonas Smedegaard <dr@jones.dk>
Date: Thu, 8 Oct 2020 14:11:52 +0200
Subject: support only Dovecot-based SASL (drop Cyrus-based SASL)
---
postfix/postfix.sh | 65 ++++++------------------------------------------------
1 file changed, 7 insertions(+), 58 deletions(-)
diff --git a/postfix/postfix.sh b/postfix/postfix.sh
index a328986..f95f339 100755
--- a/postfix/postfix.sh
+++ b/postfix/postfix.sh
@@ -54,16 +54,6 @@ fi
#else
# exit1 "ERROR: Greylisting support (Debian package postgrey) missing."
#fi
-cyrus=
-if [ -x /usr/sbin/saslauthd ]; then
- if saslauthd -v 2>&1 | grep -q '^saslauthd 2.1'; then
- cyrus=1
- else
- warn "Cyrus SASL too old - requires >= 2.1.1)."
- fi
-else
- warn "Cyrus SASL missing - (Debian package sasl2-bin)."
-fi
dovecot=
dovecot_deliver=
if [ -x /usr/sbin/dovecot ]; then
@@ -82,24 +72,11 @@ if [ -f /etc/ssl/certs/postfix.pem ]; then
else
warn "No TLS encryption - requires SSL certificate at /etc/ssl/certs/postfix.pem."
fi
-sasl_main_type=
-sasl_dovecot=
-sasl_cyrus=
-if [ -n "$sslcert" ]; then
- # FIXME: We really want to check for at least 2.1.1 but that's tricky...
- if [ -n "$cyrus" ]; then
- sasl_cyrus=1
- sasl_main_type=cyrus
- fi
- if [ -n "$dovecot" ]; then
- sasl_dovecot=1
- sasl_main_type=dovecot
- fi
- if [ -z "$sasl_main_type" ]; then
- warn "No SASL authentication - requires Cyrus SASL or Dovecot."
- fi
+sasl=
+if [ -n "$sslcert" ] && [ -n "$dovecot" ]; then
+ sasl=1
else
- warn "No SASL authentication - requires TLS encryption."
+ warn "No SASL authentication - requires TLS encryption and Dovecot."
fi
amavis=
default_amavis_maxproc=2
@@ -284,36 +261,10 @@ $postconf -c "$tempdir" -e "unverified_recipient_reject_code = 550"
if [ -n "$dovecot_deliver" ]; then
$postconf -c "$tempdir" -e mailbox_command=/usr/lib/dovecot/deliver
fi
-if [ -n "$sasl_cyrus" ]; then
- saslsubdir="sasl"
- mkdir -p "$tempdir/$saslsubdir"
- echo 'mech_list: plain login' > "$tempdir/$saslsubdir/smtpd.conf"
- echo 'minimum_layer: 0' >> "$tempdir/$saslsubdir/smtpd.conf"
- echo 'sasl_pwcheck_method: saslauthd' >> "$tempdir/$saslsubdir/smtpd.conf"
- echo 'auto_transition: false' >> "$tempdir/$saslsubdir/smtpd.conf"
- groups postfix | grep -q sasl || echo "adduser postfix sasl" >> "$tempdir/COMMANDS"
- # Release TLS-related daemons from chroot jail (bringing SASL into the jail is just too messy)
- sed --in-place \
- -e "s/^\(smtp$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]\(\($sp\+-\)\{2\}$sp\+smtpd\).*/\1n\3 -o smtpd_sasl_auth_enable=yes/" \
- -e "s/^#\?\(\(smtps\|587\)$sp\+inet\($sp\+[n-]\)\{2\}$sp\+\)[n-]/\1n/" \
- -e "s/^#\(tlsmgr$sp\)/\1/" \
- "$tempdir/master.cf"
- addoroverwritewithindents $tempdir/master.cf '^tlsmgr\h' << EOF
-tlsmgr unix - - - 300 1 tlsmgr
-EOF
-fi
-case "$sasl_main_type" in
- '') ;;
- dovecot)
+if [ -n "$sasl" ]; then
$postconf -c "$tempdir" -e smtpd_sasl_type=dovecot
$postconf -c "$tempdir" -e smtpd_sasl_path=private/auth
- ;;
- cyrus)
- $postconf -c "$tempdir" -e smtpd_sasl_type=cyrus
- $postconf -c "$tempdir" -e smtpd_sasl_path=smtpd
- ;;
- *) exit1 "ERROR: Wrong SASL type \"$sasl_main_type\"!";;
-esac
+fi
# Avoid smtpd_tls_CApath or smtpd_tls_CAfile to trick outlook.com
# See <http://postfix.1071664.n5.nabble.com/Problems-with-incoming-mails-from-outlook-com-td78356.html>
if [ -n "$sslcert" ]; then
@@ -485,9 +436,7 @@ fi
# PCRE stuff avoided, as PCRE is only optional on newest Debian packages
# RBLs replaced with those recommended by http://www.antispews.org/
# AMaViS tweaks as documented in amavisd-new package
-# AUTH-SMTP based on these:
-# http://lists.q-linux.com/pipermail/plug/2003-July/029503.html
-# http://www.porcupine.org/postfix-mirror/newdoc/SASL_README.html
+# AUTH-SMTP based on this: http://www.postfix.org/SASL_README.html
# Here's a convenient overview of different blackholes:
# http://rbls.org/
--
cgit v1.2.3